Last Updated on August 22, 2019 by LawEuro
Information Note on the Court’s case-law 217
April 2018
Benedik v. Slovenia – 62357/14
Judgment 24.4.2018 [Section IV]
Article 8
Article 8-1
Respect for private life
Police obtaining subscriber information associated with dynamic Internet Protocol (IP) address without a court order: violation
Facts – On the basis of information concerning the exchange of files with child pornography through a certain peer-to-peer file sharing website, the police, without a court order, requested an Internet service provider (ISP) to disclose data regarding a user to whom a dynamic Internet Protocol (IP) address had been assigned at a particular time.* The ISP provided the name and address of the relevant user, who was subscriber to the Internet service relating to the respective IP address.
Subsequently, the police obtained a court order demanding that the ISP disclose both the personal and traffic data of the subscriber linked to the IP address in question. On this basis the applicant’s family home was searched with computers being seized that were found to contain pornographic material involving minors. The applicant was found guilty of the criminal offence of displaying, manufacturing, possessing and distributing pornographic material.
The applicant then unsuccessfully complained before the domestic courts that the privacy of correspondence and other means of communication could only be suspended on the basis of a court order and therefore any unlawfully obtained information should be excluded as evidence. In this respect, the Constitutional Court concluded that the applicant, who had not hidden in any way the IP address through which he had accessed the Internet, had consciously exposed himself to the public and had thus waived the legitimate expectation of privacy. As a result, though the data concerning the identity of the user of the IP address were protected as privacy under the Constitution, no court order was required to disclose them in the applicant’s case.
Law – Article 8
(a) Applicability
(i) Nature of the interest involved – The subscriber information associated with specific dynamic IP addresses assigned at certain times in principle concerned personal data. In addition, it was not publicly available and therefore could not be compared to information found in a traditional telephone directory or public database of vehicle registration numbers. In order to identify a subscriber to whom a particular dynamic IP address had been assigned at a particular time*, the ISP had to access stored data concerning particular telecommunication events. Use of such stored data could on its own give rise to private life considerations. The sole purpose of obtaining the subscriber information in the present case was to identify the particular person behind the specific dynamic IP address. Information on such online activities engaged the privacy aspect the moment it was attributed to an identified or identifiable individual. Therefore what would appear to be peripheral information sought by the police, namely the name and address of a subscriber, had to be treated as inextricably connected to his or her relevant online activity thus revealing personal data. To hold otherwise would be to deny the necessary protection to information which might reveal a good deal about the online activity of an individual, including sensitive details of his or her interests, beliefs and intimate lifestyle.
(ii) Whether the applicant was identified by the contested measure – The applicant was the user of the Internet service in question by means of his own computer at his home and it was his online activity that had been monitored by the police. The fact that he was not personally subscribed to the Internet service had no effect on his privacy expectations, which were indirectly engaged once the subscriber information relating to his private use of the Internet was revealed.
(iii) Whether the applicant had a reasonable expectation of privacy – Notwithstanding the publicly accessible nature of the file-sharing network at issue, the applicant expected, subjectively, that his activity would remain private and that his identity would not be disclosed. The fact that he did not hide his dynamic IP address could not be decisive in the assessment of whether his expectation of privacy was reasonable from an objective standpoint. The anonymity aspect of online privacy was an important factor to be taken into account in such assessment. In particular, it had not been argued that the applicant had ever disclosed his identity in relation to the online activity in question or that he was for example identifiable by the file-sharing network through an account or contact data. The applicant’s online activity therefore engaged a high degree of anonymity, as confirmed by the fact that the assigned dynamic IP address, even if visible to other users of the network, could not be traced to the specific computer without the ISP’s verification of data following a request from the police. In addition, the Constitution guaranteed the privacy of correspondence and of communications and required that any interference with this right be based on a court order. Therefore, the applicant’s expectation of privacy with respect to his online activity could not be said to be unwarranted or unreasonable.
(iv) Conclusion – The applicant’s interest in having his identity with respect to his online activity protected fell with the scope of the notion of “private life”. Article 8 was therefore applicable.
(b) Compliance – The police request to the ISP and their use of the subscriber information leading to the applicant’s identification amounted to an interference with his rights under Article 8. The police measures had some basis in domestic law. As the relevant legislation was not coherent as regards the level of protection afforded to the applicant’s privacy interest, the Court relied on the Constitutional Court’s interpretation, according to which the disclosure of the identity of the communicating individual and traffic data** in principle required a court order. As to the Constitutional Court’s position that the applicant had waived the legitimate expectation of privacy as he had not hidden in any way the IP address through which he had accessed the Internet, the Court did not find it reconcilable with the scope of the right to privacy under the Convention. Therefore, a court order was necessary in the present case and nothing in the domestic law prevented the police from obtaining it.
The domestic authorities’ reliance on the provisions of the Criminal Procedure Act, which concerned a request for information on the owner or user of a certain means of electronic communication and did not contain specific rules as to the association between the dynamic IP address and subscriber information, was therefore manifestly inappropriate. Moreover, it offered virtually no protection from arbitrary interference. At the relevant time there appeared to have been no regulation specifying the conditions for the retention of data obtained under the Criminal Procedure Act and no safeguards against abuse by State officials in the procedure for access to and transfer of such data. Furthermore, no independent supervision of the use of these police powers had been shown to have existed, despite the fact that those powers compelled the ISP to retrieve the stored connection data and enabled the police to associate a great deal of information concerning online activity with a particular individual without his or her consent.
In sum, the law on which the contested measure was based and the way it had been applied by the domestic courts lacked clarity and did not offer sufficient safeguards against arbitrary interference. The interference with the applicant’s right to respect for his private life was thus not “in accordance with the law”.
Conclusion: violation (six votes to one).
Article 41: finding of a violation constituted sufficient just satisfaction in respect of any non-pecuniary damage.
(See also Delfi AS v. Estonia [GC], 64569/09, 16 June 2015, Information Note 186)
* IP addresses are series of digits assigned to networked computers to facilitate their communication over the Internet. When a website is accessed, the IP address of the computer seeking access is communicated to the server on which the website consulted is stored. ISPs allocate to the computers of Internet users either a “static” IP address or a “dynamic” IP address, that is to say an IP address which changes each time there is a new connection to the Internet. Unlike static IP addresses, dynamic IP addresses do not enable a link to be established, through files accessible to the public, between a given computer and the physical connection to the network used by the ISP.
** “Traffic data” means any data processed for the purpose of the conveyance of a communication on an electronic communications network or for the billing thereof. Traffic data may inter alia consist of data referring to the routing, duration, time or volume of a communication, to the protocol used, to the location of the terminal equipment of the sender or recipient, etc.
Leave a Reply